I was recently listening to a Pauldotcom podcast episode (if you have not heard any of these and you have any infosec interest at all, run over there and start downloading) and there was a side comment in one of the interview sections about the cost of compliance being a possible drain on real innovations that will help to address information security problems. This struck an immediate thought in my head that the statement and general concept absolutely must be true. I want to expand on that concept with my personal thoughts and experiences with compliance as an IT security professional. These are my personal opinions only and should not be construed as the opinion of my employer or consulting customers.
The costs of compliance with infosec impacting regulations is definitely huge as anyone working in IT security today can attest. Compliance with particular federal regulations impacting IT security and networking was a topic I frequently wrote and spoke about at pharmaceutical industry conferences just a few years ago. This is just one industry vertical example with IT security compliance requirements embedded in federal regulations, depending on the scope and area of business for any given operation HIPAA, Sarbanes-Oxley, GLBA, MA 201 CMR 17.00 and similar state privacy regulations, Cal. Civ. Code 1798.82 1798.29 and similar breach notification regulations, Customs and Border Protection regulations, 21 CFR Part 11, and so on as well as industry standards such as PCI DDS etc. may be in play. Depending on the size of the organization and the particular regulations in question the costs attributable to compliance vary. The statement that rings true in most studies I have seen is that the cost burden is definitely higher per capita on smaller organizations and most of the costs are attributable to compliance with actual laws and regulations rather than industry standards or practice. As is stated in the survey linked above costs for non-compliance are definitely higher than the costs of compliance, that I do not dispute.
These findings are definitely trends I personally have observed as intuitively true. The problem with these compliance efforts is not that they enforce minimum security standards on organizations, it is that they provide a false sense of security to business leaders, investors, and customers and cause an allocation of budget and resources that might not make sense in their absence. Compliance with these regulations, creation of, monitoring, and auditing of controls and systems put in place to achieve compliance eats up a large percentage of IT security time and budget. I have long asserted the technical and process controls in the majority of regulations I have experience with from an IT security perspective are common sense and should be in place already in any reasonably sized mature organization. The “cost of non-compliance” is the cost of dealing in one way or another with the resulting incidents and the return on investment for IT security as a risk reduction mechanism is an easy case to build in this context. When compliance alone is used as the basis for an IT security business case or return on investment calculation the goal is shifted from reduction of real business impact to passing an audit to avoid fines, fees, and other statutory type costs. The parts of these regulations which are not common sense security control requirements are often those which drive levels of documentation, audit preparation, record retention etc that serve no other business purpose.
Passing an audit often stops short of reduction of real business risk in IT security. The controls required and the methods of testing are common sense, sterile, and not representative of any given actual threat landscape a business may face at any particular point in time. I’ve watched auditors “verify strong authentication for administrator accounts” by typing in pregenerated lists of passwords for a root account such as “password”,”mycat”,”test” etc on a single host in the data center and then come to the finding that strong password policies were enforced. I’ve been asked “do you have a firewall” and “do you have an intrusion detection system” and passed the IT security section of an audit. These are not unreasonable questions but they do little to verify the IT security status of any organization. It is a definite fact that insecure, risky, and improperly configured environments pass these kinds of audits every day giving leaders, customers, and investors very false senses of security curtailing their own responsibilities for due diligence. This is one unseen cost of infosec regulation, responsible parties take less responsibility for security when there are check marks, seals of approval, and audit statements in annual reports. The almost inevitable breach is then met with complete shock. “How were we compromised? We passed every audit!”
Compliance with IT security regulations has spawned mini-industry after mini-industry of miracle compliance tools and technologies that do little to improve on actual security, and sometimes heavily drive FTE and investment costs for little benefit other than simply complying with a particular regulatory requirement. I can think of many specific examples of IT technology I, my employees, or my consulting customers would not have deployed unless they were specifically addressing a regulatory requirement. These are all money and time that could and should have been spent elsewhere to actually mitigate risks present in the environment. Would net security expenditures go down in a regulatory free environment? I don’t think so but as an experienced professional in the field I can come up with clear examples where the money and time would have been spent in more productive ways. This is yet another unseen cost of infosec regulation, the time and money that would be spent on reduction, insurance, and planning around actual risks to the environment. It almost goes without saying that good security products go unpurchased and installed useful tools go minimally used and configured because with limited budget and resources the focus is on those technologies that “ensure compliance.”
The final unseen cost I will note is a result of the barrier to entry to many industries presented by infosec regulations. As stated in the study linked above these regulations are very costly for small organizations to implement. Whereas in the absence of regulation a smaller organization might choose to accept or insure against some risk the regulation forces them to implement some expensive technical and process controls. These costs might very well be the margin which makes these new start up companies and innovative products unprofitable to produce. When referencing the previous points an entrepreneur with a security tool or product might also be deterred from entering the market if the tool could not be sold as a requirement for compliance with a particular regulation. In these ways there is a logical impact on innovation in the IT security and all other industries subject to regulation and thus a major unseen cost to security regulation.
Due to the costs of data breaches and business impact of security incidents those businesses that made poor choices in hiring, projects, and security in general would be punished severely even in the absence of any IT security regulation. The costs due to disrupted operations, IP theft, reputation damage, direct financial theft or fraud need to be measured by business leaders and technologists and appropriate controls must be put in place. Failure to do so should mean failure of the business. The creation of broad, general regulatory frameworks and ineffective auditing for compliance of IT security technology, people, and process diverts resources from addressing actual risks to the business and presents a false sense of security in the literal sense for those decision makers with the actual responsibility to ensure security for their business, customers, partners, investors, and everyone else with a stake in the success of the organization.
Paul:
. In the end I did end up cutting mine twice to get it just right. After that cut the draw was perfect and it had subtle coffee, espresso type notes which lasted after it was lit. In the middle the sweeter tastes of coffee and cocoa started to get a little spicy. There was constant “dry” hint in this cigar and someone said “cinnamon doughnut” in the middle. I definitely got that. In the final third the sweetness was gone for me and it got spicy, clove like. I smoked it down until it was burning me. This is on my list of best smokes ever. It wasn’t “huge” but it was perfect for hanging out and having a quality smoke. I was terribly sad when I looked the next day and they were out of stock. If anyone wants to trade me some please contact me! I’ll definitely be stalking their 2012 release.
Cigar: One of the best I have smoked so far despite the disturbing curly-q on the end. I didn’t detect any big flavors but there was some leather notes in it and possibly cut grass. Effortless drag, but it still went out on me twice. Even after the re-lights it was still good. The ash held on for a good 2-2.5 inches before it fell off. Very smooth and mild, but with a big nicotine punch.
